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Abstract 

Recently, a new scheme was proposed for deniable authentication. Its main orig- 
inality lied on applying a chaos-based encryption-hash parallel algorithm and the 
semi-group property of the Chebyshev chaotic map. Although original and prac- 
ticable, its insecurity and inefficiency are shown in this paper, thus rendering it 
inadequate for adoption in e-commerce. 



1 Introduction 

In recent years, chaos-based cryptography is drawing a great deal of attention 
from researchers from a variety of disciplines [1-5]. One of the most interesting 
encryption algorithms based on chaos proposed to date exploited the ergodic 
property of chaotic orbits [6]. In the following years, many other works en- 
hanced or analyzed its speed and security [7-14]. More recently, a new scheme 
for deniable authentication making use of a chaos-based encryption-hash par- 
allel algorithm and the semi-group property of the Chebyshev chaotic map 
was proposed [15]. In this paper it is shown that the authors' claim to be 
"secure and efficient" may be contradicted. 



2 The scheme 

According to [16], the two main characteristics of deniable authentication are: 
i) a sender S (also called prover in the literature) is able to authenticate a 
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message m to a receiver TZ (also called verifier); and ii) the receiver 1Z is 
unable to convince a third party that a message m was authenticated by S. 
An attacker M. (acting as man-in-the-middle between S and TV) should not 
be able to authenticate a message m to 1Z which S does not authenticate for 
At 

Many different constructions of deniable authentication protocols have been 
published based on traditional cryptography (see for example [16] and refer- 
ences therein). Usually, these protocols require at a minimum a hashing algo- 
rithm and a public key cryptography algorithm. The scheme proposed in [15] 
uses the chaos-based encrypt ion- hash parallel algorithm defined in [8, 10] and 
the Chebyshev chaotic map to realize key agreement, as proposed in [17]. 



2. 1 Encryption-hash 



The encryption-hash algorithm uses the logistic map 

Vn+i = by n {\ - y n ), 

where y n G [0, 1] and the parameter is 3.99 < b < 4.0, so that it behaves 
chaotically. Following [6], the interval [y min , y max ], where < y min < y mSLX < 1, 
is divided up into s = 256 subintervals, in one-to-one correspondence to as 
many ASCII characters (see Fig. 1). The secret key is given by the initial 
point yo and the parameter value b. To encrypt an 8-bit block, i.e., an ASCII 
character, the orbit is iterated starting from yo as many times as necessary 
until it lands on the subinterval corresponding to the given ASCII symbol. 
The number of iterations is recorded as the corresponding block ciphertext. 
This procedure is repeated until the plaintext is exhausted. 

In [8], a dynamic table is used for looking up the ciphertext and plaintext, 
which is no longer fixed during the whole encryption and decryption processes 
as in [6]. Instead, it depends on the plaintext, being continuously updated 
during the encryption and decryption processes. When the ith message block 
is encrypted, the look-up table is updated dynamically by exchanging the ith 
entry Zj with another entry lj . The location of the latter entry, i.e., the value 
of j, is determined by the current value of y using the following formula: 



v 



V - 2/min 
X S 



2/max J/r 



j = i + v mod s, 

where y min and y max are the end points of the chosen interval [y m i n , Umax) and 
s is the total number of entries in the table [8]. 
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In [10], the previously described chaotic cryptographic scheme is generalized 
by allowing the swapping of multiple pairs of entries in the look-up table 
during the encryption of each input block, and by allowing multiple runs 
of encryption on the whole message continuously. Starting from the current 
entry i, p pairs of entries (p > 1) are swapped according to the following rule: 
% <-> (i + v mod s), (i + v + 1 mod s) <-> (i + 2v + 1 mod s), (i + 2v + 2 
mod s) <-> (i+3t>+2 mod s), . . . , (i+(p— l)t>+p— 1 mod s) <-> (i+pv+p — 1 
mod s). Once the message has been encrypted, the whole process is repeated 
again r times, r > 1. The final look-up table is the hash of the message [10]. 



2.2 Session key agreement 

The key agreement protocol is based on Chebyshev polynomials and their 
properties. The Chebyshev polynomial of degree n is defined as 

T n (x) = cos(n • arccos(x)), x 6 [—1, 1]. 

The polynomial T n (x) is recursively defined as 

T n+ i(x) = 2xT n (x) - T n _i(x), for any n > 0, 

where Tq(x) = 1 and Ti(x) = x. Chebyshev polynomials verify the semi- 
group property: T p (T q (x)) = T pq (x); and also commute under composition: 
T p (Tg(x)) = T q (Tp(x)). These two properties make them eligible for public key 
cryptography and authentication [17]. 

The key agreement process described in [15] is as follows: 

(1) S and 1Z choose a publicly known random number x G [—1,1]. 

(2) S chooses a random large integer p, computes P = T p (x) and sends P to 
K. 

(3) 1Z chooses a random large integer q, computes Q = T g (x) and sends Q to 
S. 

(4) S computes the secret key as k = T P (Q) = T p (T q (x)). 

(5) 1Z computes the secret key as k! = T q (P) = T q (T p (x)). 

Due to the semi-group property, k = k' = T pq (x). All the communication steps 
are susceptible to interception and manipulation by an attacker: x, P = T p (x), 
and Q = T q (x) might be known or altered by the attacker acting as a man-in- 
the-middle M.. The security of this algorithm relies on the assumption that 
given only the pair (x,T n (x)) it is very difficult to compute the order of the 
polynomial n. 
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2.3 Deniable authentication protocol 

Once S and 1Z have agreed on a common session key k as described before, 
S computes E k {m) and obtains the hash value H{m) simultaneously. S sends 
E k {m) and H{m) to 1Z. Now 7Z can decrypt D k (E k {m)) = m using the same 
session key k, obtaining simultaneously the hash value H'{m). If both hashes 
H and H' are identical, 1Z is assured that the message m was sent by S. For a 
more thorough description of the scheme, the reader is referred to the original 
work [15]. 



3 Analysis of the scheme 

In this section, the insecurity and inefficiency of the scheme proposed in [15] 
are analyzed. 

3. 1 Security analysis of the scheme 

The security of the encryption-hash algorithm [8, 10] was already studied in 
[18], where it was showed that: 

• The algorithm is vulnerable to chosen-ciphertext, chosen-plaintext and known- 
plaintext attacks. As a consequence, implementations of this algorithm can 
never reuse the same key because if so, they are easily broken. 

• The look-up table, and thus the hash, does not depend on the key, but only 
on the plaintext, thus facilitating cryptanalysis. 

• Breaking the hash algorithm is possible when p = 1 and r = 1, even without 
the knowledge of the key k (y and b). In fact, it is easy to find two different 
messages m and m' such that H(m) = H{m'). 

These results imply that successive messages authenticated by S should always 
use different session keys, thus reproducing the key agreement protocol every 
time. This setting is fundamental to avoid the attacks mentioned in the first 
bullet. In order to avoid the type of attacks on the hashing scheme described 
in the third bullet, it is all important that r > 1 and p > 1. Due to the 
complexity of the attacks, the reader is referred to [18] for a more detailed 
explanation. 

On the other hand, the security of the key agreement protocol was studied in 
[19], where it was showed that an attack permits to recover the corresponding 
plaintext from a given ciphertext. The same attack can be applied to produce 
forgeries if the cryptosystem used for signing messages, as used in [15]. The 
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weak spot of the protocol lies on the fact that there are several Chebyshev 
polynomials passing through the same point. The attack works as follows. 

It is assumed that M. knows x, T p (x) and T q (x), which are publicly available 
in the communication channel between S and 1Z. To get the secret key k: 

(1) M. computes a p' such that T p >(x) = T p (x). 

(2) M. recovers k = T p i q (x) = T p >(T q (x)). 

Given x and T p (x), it can be efficiently computed an integer solution p' to the 
equation T p i(x) = T p (x): 



, ± arccos(T p (x)) + 2nw 
^ arccos(x) 

The reader is referred to [19] for the details on how to solve the previous 
equation, using a system of two linear equations. This attack allows M. to 
actively forge a message from S to 1Z, which makes the authentication property 
fail (Sec. 3.2.2 in [15]), or to passively decrypt messages sent to 1Z by S, which 
makes the security property fail (Sec. 3.2.3 in [15]). 



3.2 Efficiency analysis of the scheme 



Finally, in [15] it is claimed that the chaos-based encryption-hash parallel 
algorithm "saves certain computation time when compared with traditional 
hashing and cryptographic methods". This assertion might be interpreted in 
the sense that their algorithm is faster than traditional hashing and crypto- 
graphic methods, when in fact it is several orders of magnitude slower. Table 1 
of [10] gives some results to illustrate the performance of the proposed chaotic 
cryptographic and hashing algorithm. The performance depends on the values 
of p and r. The best speed achieved is between 7.7 and 11.5 KB/s in a 1.8 GHz 
processor. On the other hand, traditional encryption algorithms, such as DES 
or AES, achieve speeds of 21.3 and 61.0 MB/s respectively in a 2.1 GHz pro- 
cessor [20]. With respect to traditional hashing algorithms, MD5 and SHA-1, 
the two most widely used, achieve speeds of 216.6 and 67.9 MB/s respectively 
in a 2.1 GHz processor [20]. Thus, the claim is proved to be inadequate. As a 
consequence, this algorithm is also very inefficient (between 1,000 and 10,000 
times slower) when compared to similar traditional algorithms. 
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4 Conclusion 



The attacks proposed in [18] and [19] do not make the deniable authentication 
protocol presented in [15] secure. An attacker can forge messages in the name 
of the sender, thus violating the authentication requirement, and can decrypt 
messages sent by the sender, thus violating the security (confidentiality) re- 
quirement. On the other hand, the use of an encryption-hash algorithm based 
on discrete chaotic maps and on the ergodic property of chaotic orbits greatly 
reduces the protocol speed, making it inefficient as compared to other similar 
protocols. After these attacks, it is concluded that the lack of security, along 
with the low operation speed, may discourage the use of this scheme for secure 
applications. 
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Fig. 1. Schematic representation of how an attractor is divided into s subintervals, 
each one with size e = (y max — 2/min)/ s - An alphabet unit is associated for each 
subinterval. 



